Major web sites like Yahoo.com and Boston.com are infecting thousands, if not hundred thousands of computers with trojans, back doors, and other viruses, through some of their ad service providers. When will the people in charge of these web sites wake up and start screening the ads that they are serving?

For the 2nd time in less than a week, I just spent 8 hours cleaning up my PC after a virus infection and doing some forensic analysis about where it came from. What I found gave me a bad headache.

Last night, in between compiling and testing, I read an article on Yahoo News about Obama’s science advisor and his strategies for fighting climate change. I am not giving you a link here. Then my virus scanner popped up an alert:

The file was gone, but it was too late by then, the infection had already happened. CPU load was increasing, so I pulled the network cable and I fired up the Sysinternals Process Explorer to see what was going on. I saw a number of randomly named DLLs loaded from the /Windows/System32 folder. Deleting the files did not help, because new ones were created immedately, and revoking all permissions from the running threads did not help, either. I could not get rid of these rogue processes, and I had no idea what they were doing. So I turned off the power, booted Knoppicillin, and let Kaspersky, Avira, and BitDefender do a full scan over night. The results were meager, and I will share them here:
//
//Kaspersky Antivirus Scanner scan report
//
[09/04/09 09:31:39 I] Kaspersky Anti-Virus On-Demand Scanner for Linux. Version 5.7.20/RELEASE build #29, compiled Jul 25 2008, 13:21:47
[09/04/09 09:31:39 I] Copyright (C) Kaspersky Lab, 1997-2007.
[09/04/09 09:31:54 I] There are 1830965 records loaded, the latest update 09-04-2009, using standard bases set
[09/04/09 09:31:54 I] The scan path: /media/sdc1
[09/04/09 12:49:14 I] Scan summary: Files=171233 Folders=16955 Archives=5034 Packed=2063 Infected=0 Warnings=0 Suspicios=0 Cured=0 CureFailed=0 Corrupted=6 Protected=0 Error=0 ScanTime=03:17:18 ScanSpeed=5715.743 Kb/s

(I apologize for the character encoding issues)
Only BitDefender found something (it found my copies of the DLLs, and the ones that were active). Avira did not like one of the Sysinternals programs. None of them found this file, also in the System32 folder: kerisudu, without extension.

Then I booted into the Recovery Console, ran FixMBR, just in case, and booted Windows XP again. The virus was active immediately, and I saw these randomly named DLLs appear in the System32 folder again. So I booted the Recovery Console once again and took the time to find and delete all suspicious files in several system folders. Then I rebooted and logged on with the administrator account, and the machine was clean. I then cleaned up the references to the deleted files in the registry, and started to look at the Temporary Internet Files folder, because I wanted to know if the virus had really come from an ad on the Yahoo page.

I was able to confirm that. I had not browsed any other page at the time in question, and the evidence was all still there. These are the files that were loaded and cached from this page, all with a timestamp of 11:06pm (the files that I identified as related to the infestation are in red):

The exact sequence of events here is a bit difficult to determine, because there are numerous ad sites involved, Javascript, Flash, and PDF. I suspect that one of the ad links on the site loaded the file 64[1].pdf, but I don’t know which one. This file is infected and appears to exploit a script security hole in Acrobat (I may need to update my version of the viewer). Virustotal.com already knew this file (i.e. someone else had already submitted it for scanning) and reported the following:

This domain was registered anonymously with Godaddy just one day before I got infected (4/7)! We can probably assume that the perpetrators are in the US, or else they would have used a foreign registrar. And they are using a dynamic DNS service. Where is this domain hosted?

C:\>tracert ZEOZTZ.INFO

Tracing route to ZEOZTZ.INFO [66.135.37.21]
over a maximum of 30 hops:

This is a shared hosting server that likely was compromised and hijacked, using one of the known PHP security exploits. This lead ends here, and if I feel better again tomorrow, maybe I will write them an email. Eitherway, this server probably hosts the malware. I did not verify that, since I don’t have a sandbox environment to try it out. But my investigation was far from done.

The binary was downloaded and ended up in the cache as load[1].php. This file was somehow copied into the Local Settings/Temp folder as e.exe, and was executed from there. Believe it or not, this file has version information: BDA Monitor Application, Version 5, 6, 1215, 0, Internal name emmon.exe, Company eMPIA Technology, Inc. Of course I sent this to VirusTotal, which reported the following:

This is when I started to feel a bit sicklish. Once again, my virus scanners were totally in the dark about this threat. Avira, Kaspersky, and BitDefender did not find anything wrong with this file. Ikarus performed far better and recognized all three threats.

The following domain was referenced from one of the other Javascript snippets: